I’m getting the hang of it, so the linbo cache partition, a kind of local recovery partition, from which the client can be restored to the state in the image without a network (or if the server image changes, it will synchronize itself to it), is this the function known as self-healing? Is this mandatory to create or can it be omitted on clients with smaller storage space? E.g. we have laptops with only a 128gb ssd, Windows with applications can only fit on it very tiny, so such a cache partition could not really be squeezed for space.
Unfortunately the dhcpretry trick didn’t work for the Cisco swithcs, at that point of the Linbo startup, it doesn’t wait for an ip address, but for the network card to be up (for a moment a script pops up, where it says it’s trying to connect to the network, but it doesn’t wait for it, it just says not ready, I’ll try to catch it with a photo)
I couldn’t catch it perfectly, maybe it just flashes for a second, so at this point of Linbo booting it reboots the network card for the second time (the first one when it asks for dhcp with pxe, it takes about 2 minutes but waits) (after downloading Linbo boot image and after command line interface it would start the gui), but here it doesn’t wait for anything, is there somewhere to edit this?
Of course there’s no need to use LINBO with all of your clients. You can also set the option iponly. In this case the client will only receive the assigned IP but will not be managed by linbo.
In these cases the entry in your devices.csv looks like this: bibliothek;vm-bib;none;D2:9B:50:CD:12:4E;10.30.52.136;---;---;;iponly;---;0;;;;MIGRATION;;
(btw: you can also read man devices.csv)
It may be that you have to set the rapid spanning tree protocol correctly for your access ports on the cisco switch. Otherwise it may be that it takes too much time until the port gets ready
The MAC-address for this client is registered in the devices.csv and the command linuxmuster-import-devices ran successfully without error-messages?
And is it possible to clone the image created by Linbo to such an ip only client?
The device import is done successfully, it gets the ip addresst configured, it’s just that the links are too slow to be up on the switch, I’m reading the rstp description, it talks about setting some edge ports, what would they be, or should I just issue the spanning-tree portfast edge command on a port, and see what happens…
it’s beginning to be tricky … I don’t use this feature but maybe Holger @baumhof knows the answer? (So you don’t want to use a local but a „network“-cache for replication… but with only 100 MBit/s: no recommendation )
it’s also possible to deacitivate rstp completely for access ports on Cisco.
Ok, turning off the spanning tree on the access port does the job, so thanks again (I think I owe you a couple of beers ), I’ll do that on switches like this everywhere, at least I’ll see if I remember the passwords.
One can argue for hours about whether to disable the Spanning Tree or not. The protocol’s purpose is to detect loops and, if so, disable the port automatically. However, if you disable the protocol completely on the switch, the function is also useless.
I’ve never been to Hungary so far … but maybe one day …
Yes, I know that disabling spanning tree can cause loops in the network, but on the one hand these switches are in a fixed location with hardwired clients, and on the other hand it is only disabled on the access ports (with portfast mode setting), not on the trunk port, which is the uplink, but has a trunked cisco switch at the other end, so it might not be a problem, at least the benefit is greater than the potential risk of disabling the feature.
I only found the password for one of them after many tries, I gave this one a different one for some reason.
But then I’ll really have to do a test installation with Linbo, it’ll take a while, there are a lot of educational programs in the teachers’ repertoire, so I’ll upload everything they might need, so I might not get to the end of this until next week, but that’s ok, I still have time to test it.
Something I can do at home during the long weekend is to do the csv files of the users, I asked earlier in #12 how I can create special groups for network sharing, if it’s easy to answer I wouldn’t open a separate topic for it, we’ve already digressed a bit from the original topic with Linbo, but it’s still somewhat related.
I’ve been a bit busy with other things, so I’ve only just started working on the test server again. As you suggested I first just created a simple one-operation system custom image (only win11 and office21 with browsers on it, this was enough with a 30gb cache partition only 11gb occupied by the image), the restore works fine on antoher client. Now here you suggest installing defprof, this has to be done one by one on each client cloned? Or if the client is already cloned and in a domain, should it still always boot with pxe boot and linbo from then on? Is it a bit dangerous to have the reinstall Windows and upload image icon there, or can you just boot from efi partition after that, and from then on you only need Linbo if you need to reinstall or synchronize?
Also, after installing defprof, do I understand that I have to resync the image file? Isn’t it a problem that I gave global-admin a test user password to access the proxy to activate windows and office, is this something else that users get by default or is it just to install something say afterwards then this program and settings are needed to make the image sync work?
Also, if I create a multiboot system, when do I need to upload the image? I suppose for Win you have to go to the point where the description says (right after entering the domain, but before rebooting), I haven’t read Linux description point by point, but I suppose there is a point here and that’s when you have to synchronize? Although with multi boot both operating system icons appear, so in effect 2 separate images are created and then handled separately by the boot manager?
Update
Let’s say I’m stuck with the defprof anyway, what am I doing wrong? I install it, then copy it to the Windows folder, log out, then back in and run the command…
If global-admin is in use, it does not work defprof, I have to log out of it and issue the command while logged in as a local admin, then it runs fine. Regardless of this question, do I then need to redo the image sync? Also, is it ok that I have given the global admin a test user password to access the proxy to activate the Ms programs?
the defprof part only needs to be done on 1 pc to configure the default profile.
the new configuration is then applied to all your pcs that download the updated image into their linbo cache.
this can be done over and over again, once u need to have changes in the default profile be applied to all your pcs…
it depends how often u want to update your image on the client pcs… once u change your image on the server u should update the image on the clients to have the changes in efffect… thats also a question how good your lan infrstructure is… if this is fine to do over night… or if your dont wanna do it that often… but then ur image must be so good that u dont have to make many changes…
also it is recommended to deacivate windows update… so ur image does not need to be updated all the time… since u can sync ur pcs daily from the linbo cache… they are ready to go each day, even if not all updates are current. thats the idea of linbo.
To answer the defprof part. You have to follow the instructions very carefully.
the behavior u explain sounds normal.
1.)You install all your programs with globaladmin
2.) then you login as local admin and do the defprof magic as local admin.
there you copy the profile of the global-admin to the default profile using the defprof command defprof global-admin in powershell
3.) then u do a restart and image the pc
if u set your proxy settings as global admin and those settings are copied to the default profile… u r done with your proxy distribution problem unless of course u wannt to have exceptions for special pcs…
for the microsoft licensing part. in general we dont log into microsoft cloud products. u can either setup a kms host for licensing, or i think there is a regpatch for MAK key licensing but i dont know out of my head where to find the instructions…
maybe u open up a new thread for the licensing part.
Ok, thanks, so then defprof only needs to be installed on one machine per hardware class, and it’s so that if I install something on the client afterwards, I can sync it to the image file and then to the other clients. Let’s say I didn’t install anything on the cloned client where I installed defprof I just activated windows/office with kms, only because global-admin doesn’t have internet access by default, so I just did it with a test user password via proxy, which I advertise with wpad, automatically gets all clients in the domain. But for regular synchronization the network will surely be too small (especially since there are some rooms where only the uplinks are gbits, the access ports are only 100mbit, there it takes half an hour per client, it’s not viable to use it often), that’s why I asked if after cloning the pxe boot should always be the default or if the op can go with its own bootmanager.
You can boot any client via PXE all the time … it’s just a setting in your start.conf which method LINBO will choose afterwards. Many of us use sync as the default boot method but you can also simply use start. In this case the client will boot „normally“ without syncing every morning.
Have a look at these settings:
[OS] # os section
Name = Ubuntu # os name
Version = 22.04 (Jammy) # version (not used)
Description = Ubuntu 22.04 # detailed description of os
IconName = ubuntu.svg # icon filename in /srv/linbo/icons
Image = # filename of differential image (extension .rsync, optional)
BaseImage = jammy.qcow2 # filename of main image (extension .cloop)
Boot = /dev/sda1 # boot partition (not used, identical with root partition)
Root = /dev/sda1 # root partition of the os
Kernel = /boot/vmlinuz # relative path to kernel
Initrd = /boot/initrd.img # relative path to initrd
Append = ro splash # kernel append parameters
StartEnabled = yes # show start button
SyncEnabled = yes # show sync+start button
NewEnabled = yes # show new+start button
Autostart = yes # automatic start of os (yes|no)
AutostartTimeout = 3 # timeout in secs for user to cancel automatic start
DefaultAction = start #HERE!!!! (default action on automatic start: start|sync|new)
RestoreOpsiState = no # restore opsi product state after sync (yes|no)
ForceOpsiSetup = # comma separated list of opsi product ids, which are forced
# to setup after sync (e.g. mozilla.firefox,mozilla.thunderbird)
Hidden = yes # hide os tab (unused option, leave it at yes)
Each method has advantages:
sync: you can be pretty sure that every client is in its default state
start: much faster but the client may have been damaged|compromised in the meantime
you can also hide the buttons for „normal users“ but we leave them visible here
If your clients are able to boot via „Wake on LAN“ with a magic packet you can turn them on (let’s say around half an hour before school starts) and you could nevertheless use sync
Thank you, this was again a useful post, although I could have figured out what these start.conf parameters were for myself , but it’s much faster. This is something I’ll have to test in practice, though, which mode of operation will be optimal, if I just leave the start button active and start it that way, or if I always synchronize so that a client always starts with a clean slate. Am I right in assuming that, in this case, user profiles created by Win are also deleted, so that the user always has to log in everywhere again? This would take valuable minutes out of the lessons, or what exactly is affected by the synchronisation?
Starting clients remotely is a good idea, but I guess for that I need to install openvpn first, reading the description I need to set up a port forwarding on the router as step 0 first, I understand that, but how I can make opnsene available via a url is not detailed. Again the further steps seem detailed, but I haven’t gone into it that much until I understand the above question.
What I’d like to try is a multiboot (win+ubuntu) Linbo cloning process to see what that would look like, but that’s also not detailed in the description.
Yes – this is indeed a Windows problem: The first login takes time!
If you choose sync the local profiles on a client will be deleted next time the student comes to this client.
If you choose start the student can login fast(er) at this client as the profile still exists. But the clients don’t use roaming profiles for good reasons.
But Holger (@baumhof) has some very useful answers for this problem. It’s possible to deacitivate much of the default profile-stuff! The image and all profiles will be much smaller and the login won’t take so long any more. The following instructions are from our user-wiki (that’s the place where you can find very useful tips that are not in the official manual): https://wiki.linuxmuster.net/community/anwenderwiki:windowsclient:windows10:win10-abspecken
(maybe the translation for the last word „abspecken“ doesn’t make sense in other languages … … )
Bye the way: You won’t need VPN for a remote client start … if your clients are able to boot via WOL you can simply create a cronjob. But that depends on which NIC you are using Sometimes it’s tricky to setup this feature correctly.
And last but not least:
Your first steps with LINBO will take place via the client and the web interface. However, if you want to serve multiple clients simultaneously or later synchronize multiple operating systems simultaneously, you’ll sooner or later need to use the ingenious tool linbo-remote directly on the server. This tool is also able to wake up your clients with the magic packet and the option -w
(linbo-remote --help) But one step at a time…
yes defprof (as all Programs) do only have to be installed on the Computer, you use to create the Image (lets call that one „Master“).
no, it does not only have to be installed, it has to be run after every Programminstallingsession on Master
Lets say you have your Image and we call it A
In A there is Software installed already (like LibreOffice, VLC …)
You want to install additional Software, lets say: Audacity and gimp.
Your steps to do so would be the following:
reboot Master and sync it with „New and sync“ (to make sure its clean and in the state after the last creation of the Image A )
log in as global-admin and install the Programms
VLC and Audacity
start both of them!
usually Programs start the First time with „a Tip of the Day“ or some other Nagscreen or some additional Settingswindows. You dont want every user to see those Windows every time they start the Program after a sync. So global-admin has to see them and get rid of them (by unticking the „show this again“ Box or by providing the additional Settings).
now you have to make sure, every user gets those „no tip of the day“ settings. And that is done by „copying the global-admin Profile over the Default Profile“. This is done in a commandline started „as Administrator“ AND not while global-admin is logged in or was logged in!
So reboot unsynced and log in as local Admin.
Open the CMD „as Adminiistrator“ and type in
defprof.exe global-admin
There will be (in the Firstrun only) a question about AppX Service (or something like that): say „Yes“
the global-admin Profile will be coppied (parts of it) to C:\Users\Default Profile
and the Registryparts of it will be freed of the Username global-admin (generalized)
reboot and create Image B
boot another Clietn in that Hardwareclass and sync
login on that second Computer as a Networkuser (not global-admin: use a teacher or a studentaccount) and test your Programs. Nagsceen there?
Thank you very much for the useful ideas, I’ll look into it, by default the Windows login is not a quick story (Linuxschools handled this somehow quickly, I don’t know if I could figure out how to do it), respectively every student has 100Gb Onedrive space, which also has a not very fast login, and there are also things that they have to log in depending on the course material, which also takes time, so we have to think about how to speed it up if we use it with synchronization…
Thanks for the wireguard tip, it also says here that I am behind a router, no port forwarding needed here then (the description mentions port 51820, which wireguard uses by default)? I just need to follow description, no prerequisites? By tomorrow then this will be the program connected to the server.
Holger, thank you for the point by point description how to use this defprof, I will try it , it is a useful feature if a program is accidentally missed or later found out that it is needed, and the settings of the programs deafult settings are also good if they are transferred to the defult profile, and then you don’t always have to look at the first run. By the way, since global-admin doesn’t have internet access by default, but since I automatically advertise the proxy to clients with wpad, so I activate Win and Office through the proxy with test user password (some default settings are tied to activation), does this password go into the defult profile, or since each user enters with her/his own password, so he is authenticated with it before?
Wireguard is installed, so now I can access the server remotely if needed, so one more working feature.
What doesn’t work is that if I want to import users with Hungarian accents, it only accepts it for students csv, teacher and extrastudents it gives an enocding error. Is there a way to use accents in the other 2 csv? Also, for service staff, where do you usually add them (there are only teacher and student categories)?
I also tried defprof, but I could only upload a complete image afterwards, incrementally it wouldn’t let me. It seems to work, in the sense that when I log in with a domain user, the settings I specified with global-admin are active. What doesn’t is that when I clone the image file to another client, the hostname is no longer correct, it remains the same as the original image file, so it can only be renamed out of the domain, and then re-entered with the correct name, as long as it’s not synchronized of course. So it’s not a coincidence that the description says that the image file must be created after entering the domain, but before restarting for it to work correctly, but then how can defprof be used correctly, because it can only be used on a client that has entered a domain, so it’s not really clear.
Update: For the recreated image, you need to add the win10.reg file in Linbo again, then you will get the correct hostname for the client.
Yes to the Linbo question, I realised where I made a mistake, so that’s clear.
The weird thing is that in students.csv it allows accents only in extrastudents and not in teacher, in those it only allows vowels without accents, like in English (so á,é,í,ó,ö,ő,ú,ü,ű can’t only in students.csv). This would be important to work, at least for teachers, for extrastudents it is less interesting.
In german we have „german umlaute“ which are äöü and a letter called „scharfes s“: ß. (with its own wikipedia article )
I’m always glad when none of these letters appear in any csv-files because it makes many things easier without using them.
In german it’s possible to replace ä with ae (and ü with ue, ö with oe and ß with ss) with the same meaning.
I don’t know if there’s a similar way in your language, too?
), I’ll do that on switches like this everywhere, at least I’ll see if I remember the passwords.
, but it’s much faster. This is something I’ll have to test in practice, though, which mode of operation will be optimal, if I just leave the start button active and start it that way, or if I always synchronize so that a client always starts with a clean slate. Am I right in assuming that, in this case, user profiles created by Win are also deleted, so that the user always has to log in everywhere again? This would take valuable minutes out of the lessons, or what exactly is affected by the synchronisation?
Sometimes it’s tricky to setup this feature correctly.
, it is a useful feature if a program is accidentally missed or later found out that it is needed, and the settings of the programs deafult settings are also good if they are transferred to the defult profile, and then you don’t always have to look at the first run. By the way, since global-admin doesn’t have internet access by default, but since I automatically advertise the proxy to clients with wpad, so I activate Win and Office through the proxy with test user password (some default settings are tied to activation), does this password go into the defult profile, or since each user enters with her/his own password, so he is authenticated with it before?